South Africa

Details

  • Service: Advisory, Tax
  • Type: Business and industry issue
  • Date: 2010/05/25

Protection of Personal Information Act (POPI)

Feature image
The KPMG POPI Centre of Excellence is focussed on bringing solutions to our clients which are uncomplicated and, of primary importance, make business sense.

The Protection of Personal Information Bill – Principle 4: Further Processing Limitation 

As discussed in the previous edition, Principle 4 must be understood and applied within the context of Purpose Specification provided for in the third principle. Once an organisation has identified and obtained consent for specific, legitimate and explicitly defined purposes, the processing of such personal information may only occur insofar as it is necessary for the fulfilment of those purposes. Thus, the Further Processing Limitation requires that an organisation may only use personal information for those purposes that were specified at the time that the individual consented to the processing of the information. If personal information is to be used for any other purpose or disclosed to any other recipients, the further consent of the individual must be obtained.

In terms of clause 15 of the Bill further processing of personal information is permissible if that processing is compatible with the original purpose for which it was collected. In order to apply Principle 4, it is important to understand what is meant by the term “compatible”. The Bill does not contain a precise definition of the term but provides a list of factors that an organisation must consider when determining compatibility. These factors are:

 

  • the relationship between the further processing and the original purpose for which the information was collected, i.e. how close is the link between the original purpose and the intended further processing
  • the nature of the information, e.g. is it sensitive personal information
  • the consequences of the further processing for the individual, i.e. is the individual likely to benefit from or be prejudiced as a result of the further processing
  • the manner in which the information was collected, e.g. was the information collected directly from the individual or obtained from an indirect source
  • any contractual rights and obligations between the organisation, the individual and any other party (the fulfilment of such rights may possibly depend on the occurrence of the further processing).


Further processing will not be regarded as incompatible with the original purpose if:

 

  • the individual consents to the further processing
  • the personal information is publicly available
  • it is necessary in terms of any law, to further a legal or public interest or to prevent serious harm
  • the personal information is used for historical, statistical or research purposes but has been de-identified
  • such processing has been exempted in terms of the Bill.

 

It is generally accepted that the assessment of “compatibility” in terms of the Bill will ultimately depend on what is considered reasonable to prevent undue infringement on the rights of the individual concerned. However, the application of this principle is likely to pose certain practical challenges for larger organisations that rely on information sharing across their subsidiaries, divisions and/or product areas for acceptable commercial reasons such as, amongst other things, cross-selling, application assessments, central account management and fraud prevention. The effective embedment of this principle within the structures and processes of an organisation will therefore require a balance between furthering the organisation’s legitimate need to ensure sustainable business growth and the legally protected right of individuals to maintain ultimate control over the use and disclosure of their personal information.

 

Applying Principle 4 to your organisation

 

Below are a few questions that can assist in determining how ready your organisation is to begin dealing with the implications of Principle 4:

 

  • Has your organisation identified the different purposes for which it processes personal information?
  • How does your organisation assess whether the type of personal information is adequate for, and relevant to, the purpose for which it is collected?
  • Does your organisation process personal information for any other purpose except the identified purposes that are disclosed to the individual concerned?
  • What is the relationship between the further processing and original purposes for which the information was collected?
  • What type of personal information does your organisation generally subject to further processing?
  • How does this further processing affect the individual to whom the information relates, i.e. is it likely to benefit/prejudice the individual?
  • Is the personal information obtained directly from the individual concerned or from other sources, e.g. third parties, marketing databases, internal leads?
  • Is the further processing required in terms of any contractual obligation between your organisation and the individual concerned, or a third party?
  • Does your organisation inform the individual concerned when personal information is used for a purpose other than originally disclosed?
  • When and how is this communicated to the individual?
 

Contact

Contact
Farzana Badat
Regulatory Compliance
Tel: +27 (0)11 647 5576
farzana.badat@kpmg.co.za